feat: implement cmpd's PolicyRules

[cjc7373]

Fixes #8310. Things done in this PR:

• implements cmpd's PolicyRules
• changes the semantics of serviceAccountName in cluster and component CR. KB now does not create rbac resources if user has specified a service account.
• serviceaccount is now within a component's level, with a name of kb-<clusterName>-<compName>.

Addon changes (like update pg addon's cmpd policyRule since we removed kubeblocks-patroni-pod-role) will be addressed in apecloud/kubeblocks-addons#1197.

[codecov]

Codecov Report

Attention: Patch coverage is 66.50485% with 69 lines in your changes missing coverage. Please review.

Project coverage is 60.78%. Comparing base (67c8856) to head (3bceb13).
Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
controllers/apps/transformer_component_rbac.go	72.44%	21 Missing and 14 partials ⚠️
controllers/apps/transformer_component_deletion.go	59.61%	14 Missing and 7 partials ⚠️
pkg/controller/factory/builder.go	21.42%	11 Missing ⚠️
controllers/apps/transformer_cluster_deletion.go	50.00%	0 Missing and 1 partial ⚠️
pkg/controller/component/synthesize_component.go	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8328      +/-   ##
==========================================
+ Coverage   60.62%   60.78%   +0.15%     
==========================================
  Files         376      377       +1     
  Lines       45405    45462      +57     
==========================================
+ Hits        27528    27632     +104     
+ Misses      15329    15257      -72     
- Partials     2548     2573      +25     

Flag	Coverage Δ
unittests	60.78% <66.50%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cjc7373]

relevant addon PR: apecloud/kubeblocks-addons#1197

[leon-inf]

Should the controller still need to bind these rules defined in kubeblocks-cluster-pod-role in case they are not bound by the user?

[leon-inf]

The rules in cmpd are the same.

[leon-inf]

Since this field only involves the declaration of the service account (name) and does not pertain to the rules bound.

[leon-inf]

As a further improvement, components with the same cmp can share a default service account.

[cjc7373]

So that the rbac provision can be moved to cmpd controller?

[cjc7373]

I ignored a problem. Cmpd is not namespaced, but serviceaccount/rolebinding is. So that it is not feasible to move rbac provision to cmpd controller. Cmpd controller can watch a component to trigger reconcile. The reconcilation related to rbac may look like this:

• It lists all components that references the cmpd. Find all the namespaces of them (list 1).
• It lists all managed rbac resources (serviceaccount/rolebinding/role) using label selector. Find all the namespaces of them (list 2).
• Create/update rbac resources in list 1.
• Delete rbac resouces in list 2 but not in list 1.

[cjc7373]

After a second thought, rbac provision will remain in component controller.

These rbac resources will use the component which first creates them as their owner. If the component has been deleted, their owner will be transfered to another component which shares a same cmpd. If no such component can be found, they will be deleted.

Another note: equality.Semantic is used to replace reflect.DeepEqual to avoid the false alarm of something like reflect.DeepEqual([]v1.LocalObjectReference(nil), []v1.LocalObjectReference{})